b'Audit Report\n\n\n\n\nOIG-07-023\nManagement Letter for the Fiscal Year 2006 Audit of the\nUnited States Mint\xe2\x80\x99s Financial Statements\n\nDecember 21, 2006\n\n\n\n\nOffice of\nInspector General\nDEPARTMENT OF THE TREASURY\nThis report has been reviewed for public dissemination by the Office of Counsel\nto the Inspector General. Information requiring protection from public\ndissemination has been redacted from this report in accordance with the Freedom\nof Information Act, 5 U.S.C. section 552.\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                            December 21, 2006\n\n\n            MEMORANDUM FOR EDMUND C. MOY, DIRECTOR\n                           UNITED STATES MINT\n\n            FROM:                 Joel A. Grover\n                                  Deputy Assistant Inspector General\n                                    for Financial Management and Information\n                                    Technology Audits\n\n            SUBJECT:              Management Letter for the Fiscal Year 2006 Audit of the\n                                  United States Mint\xe2\x80\x99s Financial Statements\n\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the United States Mint\xe2\x80\x99s (Mint) Fiscal Year 2006 financial statements.\n            Under a contract monitored by the Office of Inspector General, KPMG LLP, an\n            independent certified public accounting firm, performed an audit of the financial\n            statements of the Mint as of September 30, 2006, and for the year then ended.\n            The contract required that the audit be performed in accordance with generally\n            accepted government auditing standards; applicable provisions of Office of\n            Management and Budget Bulletin No. 06-03, Audit Requirements for Federal\n            Financial Statements; and the GAO/PCIE Financial Audit Manual.\n\n            As part of its audit, KPMG LLP issued and is responsible for the accompanying\n            management letter that discusses other matters involving internal control over\n            financial reporting and its operation that were identified during the audit but were\n            not required to be included in the audit reports.\n\n            In connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where KPMG LLP did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5400, or a\n            member of your staff may contact Mike Fitzgerald, Director, Financial Audits,\n            at (202) 927-5789.\n\n            Attachment\n\x0cTHE UNITED STATES MINT\n\n\n     Management Letter \n\n\n      Fiscal Year 2006 \n\n\x0c                                     THE UNITED STATES MINT\n                                    Fiscal Year 2006 Management Letter \n\n                                             Table of Contents \n\n\n\nTransmittal Letter                                                                                3\n\n\nAppendix A \xe2\x80\x93 Fiscal Year 2006 Management Letter Comments                                          5\n\n\nInventory Management \n\n\n     A-1    Controls Over Tracking Die Steel Rods Should be Strengthened                          5\n\n     A-2    Physical Inventory Procedures at West Point Should be Strengthened                    5\n\n     A-3    Security at the [REDACTED] Warehouse Should be Strengthened                           5\n\n     A-4    Improvements Needed to Monitor Slow-Moving and Obsolete Inventory                     6\n\n     A-5    Procedures Should be Enhanced to Observe Physical Inventory [REDACTED]                6\n\n     A-6    Quarterly Physical Inventory Procedures Should be Strengthened                        6\n\n\nAsset Management\n\n     B-1    Controls Over Asset Retirements Should be Strengthened                                8\n\n     B-2    Policies and Procedures for Performing Impairment Analysis Should be Reviewed         8\n\n\nRevenue Generation and Collection\n\n     C-1    Controls Over Monitoring the MOA with the USPS Should be Strengthened                 8\n\n     C-2    Controls Over the Preparation of Shipping Documents Should be Strengthened            8\n\n     C-3    Improper Recognition of Consignment Sales                                             9\n\n\nHuman Resource Management\n\n     D-1    Controls Should be Developed for Monitoring Payroll Processed by Service Providers    9\n\n\nProcurement\n\n     E-1    Controls Over Disbursements Should be Strengthened                                    9\n\n     E-2    Controls Over Document Retention of Purchase Orders Should be Strengthened            9\n\n     E-3    Accounts Payable Module Should be Enhanced to Automatically Calculate Prompt Pay\n\n            Penalty Interest                                                                     10 \n\n\nManufacturing\n\n     F-1    Management Review of Variances Should be Formalized and Strengthened                 10 \n\n     F-2    Controls Over Document Retention for Standard Costs Should be Strengthened           10 \n\n\n\n\n\n                                                     1\n\n\x0c                                    THE UNITED STATES MINT\n                                  Fiscal Year 2006 Management Letter \n\n                                             Table of Contents \n\n\n\nInformation Technology\n\n     G-1    Improvements Needed in Specialized Training for Employees                 11 \n\n     G-2    Improvements Needed in Audit Reviews [REDACTED          ]                 11 \n\n     G-3    Improvements Needed in Network Account Management                         11 \n\n     G-4    Improvements Needed in Data Security Controls                             12 \n\n     G-5    Improvements Needed in Internal System Device Controls                    12 \n\n\nFinancial Reporting\n\n     H-1    Standard Operating Procedures Should be Implemented for Heritage Assets   13 \n\n\nAppendix B \xe2\x80\x93 United States Mint\xe2\x80\x99s Response                                            14 \n\n\nAppendix C \xe2\x80\x93 Status of Prior Year Management Letter Comments                          15\n\n\n\n\n                                                     2\n\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036\n\n\n\n\nDecember 8, 2006\n\nInspector General\nUnited States Department of the Treasury\n740 15th Street, NW, Suite 600\nWashington, DC 20220\n\nDirector\nThe United States Mint\n801 9th Street, NW\nWashington, DC 20001\n\nLadies and Gentlemen:\n\nWe have audited the financial statements of the United States Mint (Mint) for the years ended September 30,\n2006 and 2005, and have issued our report thereon dated December 8, 2006. In planning and performing our\naudits of the Mint\xe2\x80\x99s financial statements, we considered the Mint\xe2\x80\x99s internal control over financial reporting, in\norder to determine our auditing procedures for the purpose of expressing our opinion on the financial statements,\nbut not for expressing an opinion on the effectiveness of the Mint\xe2\x80\x99s internal control. Accordingly, we do not\nexpress an opinion on the effectiveness of the Mint\xe2\x80\x99s internal control.\n\nDuring our fiscal year 2006 audit of the Mint\xe2\x80\x99s financial statements, we noted one matter involving internal\ncontrol over financial reporting and its operation that we considered to be a reportable condition under standards\nestablished by the American Institute of Certified Public Accountants. In our Independent Auditors\xe2\x80\x99 Report on\nInternal Control, dated December 8, 2006, we reported that we considered the finding related to the Mint\xe2\x80\x99s\nfinancial accounting and reporting controls to be a reportable condition, but that we did not consider this\ncondition to be a material weakness.\n\nOur audit procedures were designed primarily to enable us to form an opinion on the Mint\xe2\x80\x99s financial statements,\nand therefore, may not bring to light all weaknesses in policies or procedures that exist. However, we also take\nthis opportunity to share our knowledge of the Mint, gained during our work, to make comments and suggestions\nthat we hope can be useful to you.\n\nAlthough not considered to be reportable conditions, we noted certain matters involving internal control and\nother operational matters, which are presented in Appendix A, for your consideration. These comments and\nrecommendations, all of which have been discussed with the appropriate members of management, are intended\nto improve the Mint\xe2\x80\x99s internal control or result in other operating efficiencies. We have not considered the Mint\xe2\x80\x99s\ninternal control since the date of our report. The Mint\xe2\x80\x99s response to our comments and recommendations are\npresented in Appendix B. Appendix C presents the status of prior year management letter comments.\n\nWe appreciate the courteous and professional assistance that the Mint\xe2\x80\x99s personnel extended to us to complete our\naudit timely. We would be pleased to discuss these comments and recommendations with you at any time.\n\n\n\n\n                                                                          3\n                                       KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                       member firm of KPMG International, a Swiss cooperative.\n\x0cThis communication is intended solely for the information and use of the Mint\xe2\x80\x99s management and others within\nthe organization, and the United States Department of the Treasury\xe2\x80\x99s Office of Inspector General, the U.S.\nGovernment Accountability Office, Office of Management and Budget, and the U.S. Congress, and is not\nintended to be and should not be used by anyone other than these specified parties.\n\nVery truly yours,\n\n\n\n\n                                                     4\n\n\x0c                                                                                                      Appendix A\n\n                                        THE UNITED STATES MINT\n                                Fiscal Year 2006 Management Letter Comments\n\n\nInventory Management\nA-1 Controls Over Tracking Die Steel Rods Should be Strengthened\n\nThe United States Mint (Mint) uses Die Steel Rods to create the press molds for pressing the coins. The Die Steel\nRods are purchased in bulk and can take up to 2 years to utilize. During the 3rd Quarter Physical Inventory (QPI)\nat the Denver Mint, we noticed an inconsistency between the number of rods received by weight and piece count\nto the amount listed on the packing list.\n\nWe recommend that the Mint:\n\n\xe2\x80\xa2\t Implement a process for recording the steel bar removed for testing, including serial number or unique\n   identifier of the steel for future reference.\n\xe2\x80\xa2\t Implement a process of weighing the steel bar removed from the warehouse once it is received at the Mint.\n   Implement a tracking spreadsheet, which will be utilized to track the weight of the bar and update [REDACTED]\n   for the removal of the steel bar from raw material to work-in-process. During the next visit to the warehouse\n   update the packing list with the weight removed.\n\xe2\x80\xa2\t Contact the Contracting Officer Technical Representative of the die steel contract to request that the\n   contractor send more detailed packing lists, including number of bars per lot and serial numbers.\n\nA-2 Physical Inventory Procedures at West Point Should be Strengthened\n\nDuring our inventory observation test work at the West Point Mint, we noted that the Annual Physical Inventory\n(API) was not conducted for a full metal inventory count, as required in the Mint policy. A statistician developed\na sampling methodology for this facility during May 2001 to select a sample of items for counting during the\nAPI. However, the methodology has not been included in the Mint-wide policies nor has it been subsequently\nreviewed or updated to ensure previous criteria are still applicable and sufficient to provide adequate coverage of\nthe total inventory on hand as of the count date.\n\nFurther, we noted that there were inventory movements around the vault floor during the API; five shipments\nwere made from West Point to either third party customers [REDACTED], and these shipments were not clearly\nsegregated from items being inventoried nor adequately labeled.\n\nWe recommend that the Mint re-evaluate its policies and procedures and determine whether the API at the West\nPoint Mint should be conducted for \xe2\x80\x9cfull metal\xe2\x80\x9d counts or on a sample basis. If the Mint deems recounting\nphysical inventory on a sample basis is sufficient, the sampling methodology should be reviewed on an annual\nbasis for these facilities to take into account the inventory on hand at the date of the count to ensure that the\nsamples selected for the physical inventory are adequate.\n\nFurther, management should ensure that items for shipment are clearly segregated from the inventoried items and\nadequately labeled to indicate that they are held for third parties.\n\nA-3 Security at [REDACTED] Warehouse Should be Strengthened\n\nDuring our inventory observation test work, we noted that the physical security in place at the [REDACTED]\nwarehouse can be improved to ensure the proper safeguarding of the Mint\xe2\x80\x99s assets.\n\n\n                                                        5\n\n\x0c                                                                                                   Appendix A\n\n                                       THE UNITED STATES MINT\n                               Fiscal Year 2006 Management Letter Comments\n\n\nWe recommend that the Mint review its existing policies and procedures to ensure enforcement and compliance\nwith the lease agreement by the warehouse storing the Mint\xe2\x80\x99s assets, and that all assets are adequately\nsafeguarded.\n\nA-4 Improvements Needed to Monitor Slow-Moving and Obsolete Inventory\n\nDuring our Inventory Management test work, we identified a number of inventory items on hand totaling\n$1,620,465 that were slow moving, but were not classified as slow moving or obsolete during fiscal year 2006.\nWe noted that these items were recorded at original cost and/or written down to the scrap value of the metal,\nalthough they should have been written off or have an allowance for impairment recorded against them as of\nSeptember 30, 2006.\n\nWe recommend that the Mint strengthen its inventory management policies to ensure the continuous monitoring\nand tracking of slow moving or obsolete inventory. The Mint should develop an aging analysis, and designate a\nsenior official in the Office of Corporate Accounting (OCA) to perform a detail review of all inventory listings\non a monthly basis to ensure that the production facilities are properly identifying the slow moving items.\nFurther, an allowance methodology should be developed by OCA, to ensure that the appropriate entries are\nrecorded for impairment, if required, on a timely basis.\n\nA-5 Procedures Should be Enhanced to Observe Physical Inventory [REDACTED]\n\nThe Mint maintain finished goods inventory at a third party warehouse, [REDACTED          ] and an\nannual inventory is performed [REDACTED] in accordance standard inventory count procedures as agreed upon\nbetween the Mint [REDACTED].\n                  .\n\nDuring our inventory observation at [REDACTED], we noted that the Mint personnel did not observe the first day of\nthe physical inventory, and does not have a defined sampling plan to perform test counts of inventory held [REDACTED\n     ]. We noted that reliance is placed on the [REDACTED] count team performing recounts to reconcile variances\nnoted, and test counts were only performed by the Mint team for major variances that were still identified after\nseveral recounts.\n\nThe Mint\xe2\x80\x99s inventory procedures should be enhanced to require Mint personnel to be on hand during the entire\nphysical inventory count [REDACTED] as well as require them to perform documented test counts or recounts.\nFurther, the Mint employees should select a statistical sample of inventory on hand and perform recounts along\nwith the [REDACTED] count team throughout the physical inventory.\n\nA-6 Quarterly Physical Inventory Procedures Should be Strengthened\n\nDuring our inventory observation test work, we noted that the Mint-wide Standard Operating Procedures (SOP)\nfor the QPI provides the manufacturing facilities the authority to develop their own procedures for performing\nthe QPI, resulting in variation between the facilities. We noted that some of the Mint-wide QPI procedures were\nnot performed in accordance with specific instructions in the SOP at the Philadelphia Mint as follows:\n\n\xe2\x80\xa2\t The physical inventory count was performed by the personnel on the plant floor who work with the inventory\n   on a day to day basis, and no independent Mint personnel were in attendance to observe and corroborate the\n   results of the QPI.\n\n\n\n                                                       6\n\n\x0c                                                                                                     Appendix A\n\n                                        THE UNITED STATES MINT\n                                Fiscal Year 2006 Management Letter Comments\n\n\n\xe2\x80\xa2\t After the inventory was counted and/or weighed, inventory items were not cordoned off or locked with a\n   numbered seal. As a result, it was difficult to track and monitor which items had been counted.\n\xe2\x80\xa2\t The Mint stores inventory items in metal tanks by denomination. The tanks are numbered for identification\n   purposes and also have the weight of the tank \xe2\x80\x9ctare weight\xe2\x80\x9d detailed on the side to ensure that the weight of\n   the tank is not included and counted in the weight of the inventory. We noted that for 11 of the 104 work-in\n   process inventory items selected for recount, the Mint personnel incorrectly subtracted the tank number\n   instead of the tare weight from the total amount weighed, which resulted in the Mint recording the incorrect\n   amount of inventory on hand.\n\xe2\x80\xa2\t The reconciliation of the Costed Inventory By Account (CIBA) subsidiary ledger to the [REDACTED] general\n   ledger was not performed prior to the inventory count to identify reconciling items, nor after the count to\n   ensure that the adjustments were posted correctly. Further, the detailed supporting documentation for the\n   adjustments posted was not maintained.\n\xe2\x80\xa2\t There was no evidence of review and approval of the QPI results and adjustments prior to the entries being\n   posted to the [REDACTED] general ledger. The QPI adjustments posted by the Philadelphia Mint did not\n   include any evidence of review by the Financial Managers, Plant Managers, the Office of Chief Financial\n   Officer (OCFO), or the Manufacturing Strategic Business Unit (MSBU) at Headquarters.\nWe recommend that the Mint review and revise the SOP and require management at Headquarters to perform\ninventory control monitoring procedures at each Mint facilities. Further, the management should ensure that the\nPhiladelphia Mint:\n\n\xe2\x80\xa2\t Develop clear inventory instructions and conduct training sessions on the inventory procedures that should be\n   performed during the QPI, with all personnel participating in the inventory, including employees from the\n   plant floor, coining, and accounting. In addition, the Philadelphia Mint should select count teams that include\n   independent employees from other departments to assist in the inventory count. Further, all personnel should\n   be required to remain on hand through the conclusion of the inventory count.\n\xe2\x80\xa2\t Develop a clear and consistent system for marking inventory items counted to ensure that the QPI count is\n   complete, and that they have control over inventory movement during the QPI count. Management should\n   consider the use of rope/tape and grip locks to seal off all tanks that have been counted, and attaching the\n   physical count sheets to each individual coil that is not part of the racking system to indicate it has been\n   counted.\n\xe2\x80\xa2\t Ensure that count teams are trained to search for the proper tare weight when performing an inventory count.\n   In addition, the tanks holding inventory should be clearly labled with both the tank number and the tare\n   weight of the tank to ensure that inventory count teams can easily identify and subtract the correct tare weight\n   when weighing inventory items.\n\xe2\x80\xa2\t Run the CIBA report from the Mint\xe2\x80\x99s subsidiary ledger before and after the QPI count and perform\n   reconciliation to the [REDACTED] general ledger.\n\xe2\x80\xa2\t Establish policies and procedures that require the QPI adjustments be adequately supported by detailed\n   documentation and be reviewed and signed-off by both a management-level reviewer at the field sites and at\n   Headquarters.\n\n\n\n                                                        7\n\n\x0c                                                                                                      Appendix A\n\n                                        THE UNITED STATES MINT\n                                Fiscal Year 2006 Management Letter Comments\n\n\nAsset Management\n\nB-1 Controls Over Asset Retirements Should be Strengthened\n\nDuring our Asset Management test work, we noted that for 2 of 23 asset retirement sample items the Mint could\nnot locate the Excess Property report that had been signed by the Property Manager.\n\nWe recommend that Mint establish and implement a method to ensure that Excess Property forms are properly\nfiled and to ensure that the forms are available for examination for a reasonable time period after the retirement\ntransaction.\n\nB-2 Policies and Procedures for Performing Impairment Analysis Should be Reviewed\n\nDuring our Asset Management testwork, we noted that the manufacturing facilities of the Mint performs an\nimpairment analysis by using the Net Book Value report as well as physical verification to determine if an asset\nis impaired (i.e. damaged, obsolete, no longer in use, and not currently disposed.) However, we noted that the\nMint does not perform a Mint-wide analysis of asset impairment, independent of the facility level review,\nutilizing annual reports that are issued by the engineers regarding the operational capacity reports. This analysis\nis beneficial in further determining impairment issues related to the future cash flows of an asset.\n\nWe recommend that the Mint consider establishing policies and procedures to review the annual reports prepared\nby the engineers, and perform an independent Mint-wide impairment analysis.\n\nRevenue Generation and Collection\n\nC-1 Controls Over Monitoring the MOA with the USPS Should be Strengthened\n\nDuring our Revenue test work, we noted that the Mint is not complying with the terms in the Memorandum of\nAgreement between the United States Postal Service and the United States Mint for a Joint Product Partnership\n(MOA). The MOA is dated August 22, 2002, and specifies the terms for splitting revenues generated through the\nsales efforts undertaken by both the Mint and the United States Postal Service (USPS), but these terms have not\nbeen followed by the Mint and amounts due to/from the USPS have not been calculated, accrued, or paid to date.\n\nWe recommend that the Mint review the terms of the MOA with the USPS and implement policies and\nprocedures that require the calculations and reconciliation of amount due to/from the USPS on a regular basis.\nOnce amounts due/from the USPS are determined, applicable adjustments should be promptly recorded in the\ngeneral ledger.\n\nC-2 Controls Over the Preparation of Shipping Documents Should be Strengthened\n\nDuring our walkthroughs and control testwork, we noted that the Mint prepares Government Bill of Lading\n(GBL) documentation for all shipments prior to the shipment date. We noted that the GBLs are pre-populated\nusing the shipment date scheduled with the third party carrier.\n\nWe recommend that the Mint strengthen its shipping policies to ensure that the shipment date is left blank on all\nGBLs, and require truckers from third party carrier to sign and date the GBLs when the inventory is loaded on\nthe truck and physically leaves the Mint\xe2\x80\x99s loading dock.\n\n\n                                                        8\n\n\x0c                                                                                                   Appendix A\n\n                                       THE UNITED STATES MINT\n                               Fiscal Year 2006 Management Letter Comments\n\n\nC-3 Improper Recognition of Consignment Sales\n\nDuring our Revenue test work, we noted that revenue on consignment sales is improperly recognized when\nproducts are shipped to the consignee, for future sales, and not when the products are ultimately sold by the\nconsignee. The consignee does not have an obligation to pay the Mint until the products are ultimately sold and\nhas the right to return the products to the Mint at any time.\n\nWe recommend that the Mint review and revise the revenue recognition policy for consignment sales to ensure\nthat revenue is recognized when the products are ultimately sold by the consignee, and not when products are\nshipped.\n\nHuman Resource Management\n\nD-1 Controls Should be Developed for Monitoring Payroll Processed by Service Providers\n\nThe Mint outsourced certain payroll functions to the Bureau of the Public Debt\xe2\x80\x99s Administrative Resource Center\n(ARC) during fiscal year 2006. ARC submits the Mint\xe2\x80\x99s payroll information to the National Finance Centre\n(NFC), who processes the Mint\xe2\x80\x99s payroll. We noted that the Mint has not updated the Standard Operating\nProcedures (SOP) to address current operational requirements, and no controls have been established to verify\nthat the payroll is properly processed by NFC and ARC at the employee level. We noted that only a monthly\nreconciliation is being performed to reconcile the payroll expense paid by the NFC [REDACTED].\n                                                                                    .\n\nWe recommend that the Mint implement adequate controls over the payroll process to ensure that payroll\nprocessed by NFC and ARC are complete and accurate. Further, enhanced SOP should be developed to provide a\nclear audit trail of the processes and controls that are performed at ARC and the Mint.\n\nProcurement\n\nE-1 Controls Over Disbursements Should be Strengthened\n\nDuring our Procurement test work, we noted that for 9 of 119 disbursements reviewed, the invoices were not\ndate-stamped as required. From the 9 discrepancies, 6 invoices were from the Philadelphia Mint, 1 was from the\nWest Point Mint and 2 were from Fort Knox.\n\nWe recommend that the Mint establish an internal review process to ensure that all invoices are date-stamped\nwhen received prior to being approved for payment.\n\nE-2 Controls Over Document Retention of Purchase Orders Should be Strengthened\n\nDuring our Procurement test work, we noted that for 1 of the 119 disbursements tested, the signed purchase order\nwas not provided by the Mint as of the completion of our procurement test work on November 28, 2006.\n\nWe recommend that the Mint management strengthen its procurement document retention policy to ensure that\nadequate documentation is readily available and properly maintained for all disbursement transactions.\n\n\n\n\n                                                       9\n\n\x0c                                                                                                      Appendix A\n\n                                         THE UNITED STATES MINT\n                                 Fiscal Year 2006 Management Letter Comments\n\n\nE-3 \t Accounts Payable Module Should be Enhanced to Automatically Calculate Prompt Pay Penalty\n      Interest\n\nDuring our disbursement test work, we noted that although 11 of the 119 disbursements tested were paid more\nthan 30 days late, the Mint did not pay $3,266.22 of prompt pay interest penalty in accordance with the Prompt\nPayment Act. Of the 11 invoices, 7 were from the Philadelphia Mint, 3 were from the West Point Mint, and 1\nwas from Headquarters.\n\nWe recommend that the Mint enhance the Accounts Payable Module to ensure that prompt pay interest is\nautomatically calculated for disbursements that are paid beyond the timeframe stipulated in the Prompt Pay Final\nRule. In the interim, the Mint should designate a supervisor to perform a detailed review of accounts payable\nreports to identify invoices that are due for payment.\n\nManufacturing\n\nF-1 \t Management Review of Variances Should be Formalized and Strengthened\n\nDuring our manufacturing test work, we noted that the Mint Standard Operating Procedure (SOP) related to\nstandard cost accounting procedures does not specifically require reconciling items and variances to be\ndocumented and supported. As a result, the monthly review of variances between standard cost rates and\nover/under applied overhead, which ensures that costs associated to the production and manufacture of coins are\nallocated to inventory balances on a monthly basis, did not provide detailed explanations of the nature of the\nvariances identified and supporting documentation to determine how the Mint obtained comfort over the\nreasonableness of the variances identified.\n\nWe recommend that the Mint revise its policies and procedures to require evidence and support for the monthly\nreview and approval of variances between standard cost rates and over/under applied overhead. The analysis\nshould be signed-off by both the preparer and a management-level reviewer. In addition, the analysis should\nquantify what the Mint deems significant, the rationale for the reasonableness of significant variances identified,\nand support for the conclusions reached.\n\nF-2 \t Controls Over Document Retention for Standard Costs Should be Strengthened\n\nDuring our audit, we noted that the Mint utilized forecasts and projections of metal prices from 26 different\neconomists, in order to estimate the standard costs for metals. On a monthly basis, the Mint performs an\nover/under analysis to identify variances between the standard costs and actual costs incurred and record the\nnecessary adjustment [REDACTED]. However, we noted that the Mint does not have a policy describing the\ntheory, assumptions, methods, and source data used to forecast standard cost for inventory. Additionally, we\nnoted that the Mint did not maintain the source data used to calculate the standard costs for metals in the current\nyear.\n\nWe recommend that the Mint develop a policy describing the theory, assumptions, methods, and data used to\nforecast unit rates for inventory. Additionally, we recommend that the Mint retain for their records (and to fulfill\naudit requests) supporting documentation utilized in their forecasting of standard costs.\n\n\n\n\n                                                        10 \n\n\x0c                                                                                                      Appendix A\n\n                                        THE UNITED STATES MINT\n                                Fiscal Year 2006 Management Letter Comments\n\n\nInformation Technology\n\nG-1 \t Improvements Needed in Specialized Training for Employees\n\nDuring our test work regarding the Entity-Wide Specialized Security training, we noted that:\n\xe2\x80\xa2\t    The Mint did not provide adequate documentation noting that all individuals with specialized security roles\n      had attended specialized training to support their job function and duties.\n\xe2\x80\xa2\t    Specialized training content is not targeted to the specialized functions of those individuals taking the\n      training (i.e. there is not a specific training for Administrators, Database programmers, security specialist,\n      etc.). The training is an overview detailing what should be covered.\n\nWe recommend that the Mint implement policies and procedures requiring individuals with critical security\nfunctions to attend additional role-based security training beyond the standard annual security awareness training\nand adequately track the completion of specialized training.\n\nG-2\t Improvements Needed in Audit Reviews [REDACTED                           ]\n\nDuring our test work regarding audit trail review, we noted that the Mint has not consistently conducted periodic\nreviews of [REDACTED] system-generated audit logs. Although the Mint has policies in place that define the type of\nactivities that are logged, procedures are not clear as to how often the logs should be reviewed.\n\nBased on discussion with the Mint, we determined that audit logs are not reviewed on a regular basis, and there\nare inconsistencies with the formal procedures for reviewing logs and the actual methods in place.\n\nWe recommend that the Mint strengthen policies and procedures to ensure that:\n\n\xe2\x80\xa2\t    An individual independent of the personnel administering the Mint WAN is tasked with the responsibility\n      for reviewing system audit trails on a regular basis.\n\xe2\x80\xa2\t    The review of audit logs is documented to provide evidence of review and included in the daily Titan\n      Reports when reviews are conducted.\n\xe2\x80\xa2\t    The audit log files are retained and archived in accordance with Mint policy.\n\xe2\x80\xa2\t    Policies are updated to include regular periodic review (i.e. daily, weekly, etc) of audit logs and employ the\n      use of automated tools to analyze logs and automatically alert administrators of potential issues.\n\nG-3\t Improvements Needed in Network Account Management\n\nDuring our test work regarding [REDACTED] account access management, we noted the following\n[REDACTED              ]:\n\xe2\x80\xa2\t    [REDACTED               ] passwords that do not expire.\n\xe2\x80\xa2\t    [REDACTED] who left the Mint over 9 months ago but still have accounts on the system.\n\xe2\x80\xa2\t    [REDACTED] account that never logged in.\n\xe2\x80\xa2\t    [REDACTED] accounts that never logged in.\n\n                                                        11 \n\n\x0c                                                                                                      Appendix A\n\n                                         THE UNITED STATES MINT\n                                 Fiscal Year 2006 Management Letter Comments\n\n\n\xe2\x80\xa2\t    [REDACTED] accounts with passwords that do not expire.\n\xe2\x80\xa2\t    [REDACTED] accounts with passwords that do not expire.\n\xe2\x80\xa2\t    [REDACTED] Accounts with password that do not expire.\n\xe2\x80\xa2\t    Over 1000 accounts have not logged in over 90 days and still have accounts (90 day period for removal).\n\xe2\x80\xa2\t    Multiple test accounts detected.\n\nWe recommend that the Mint strengthen policies and procedures to ensure that:\n\n\xe2\x80\xa2\t    [REDACTED] accounts for separated individuals are disabled and deleted in a manner consistent with\n      Federal guidance.\n\xe2\x80\xa2\t    Evidence of [REDACTED] account management activities is documented for verification and audit trail purposes\n\xe2\x80\xa2\t    [REDACTED] account lists reviews are implemented effectively such that unused user accounts are disabled\n      and removed if no longer needed.\n\nG-4\t Improvements Needed in Data Security Controls\n\nDuring our test work regarding the physical access to the data center, we noted that:\n\xe2\x80\xa2\t    Visitor logs for Data Center 799 were missing at the Data Center tour. Once the logs were located, the\n      information located in the logs was inconsistent. We noted that the logs did not have the full date, month,\n      and year. Thus, the Mint could not verify when people entered or left the vault; and\n\xe2\x80\xa2\t    Electric Data Center swipe logs of individuals accessing the Data Center were not provided. These are\n      controlled by the Office of Protection.\nWe recommend that the Mint:\n\xe2\x80\xa2\t    Continue its review processes and ensure that all currently authorized personnel have legitimate business\n      needs for Data Center access.\n\xe2\x80\xa2\t    Review physical access lists to sensitive areas at least quarterly.\n\xe2\x80\xa2\t    Require all individuals, including those with authorized swipe access to the Data Center, to sign in and\n      complete the visitor log each visit.\n\xe2\x80\xa2\t    Increase management oversight to ensure existing policies and procedures related to physical and logical\n      access controls are adhered to.\n\xe2\x80\xa2\t    Assign the data center supervisor, or another appropriate individual, responsibility for ensuring the visitor\n      log is completely filled out by all persons not included on the approved access list.\n\xe2\x80\xa2\t    Periodically review the visitor log to verify its completeness and investigate any incomplete entries.\n\nG-5\t Improvements Needed in Internal System Device Controls\n\nThe results of our internal penetration study are as follows:\n\n\xe2\x80\xa2\t    Weak [REDACTED                  ] passwords were found on 8 [REDACTED             ] ; and\n\n                                                         12 \n\n\x0c                                                                                                    Appendix A\n\n                                       THE UNITED STATES MINT\n                                Fiscal Year 2006 Management Letter Comments\n\n\n\xe2\x80\xa2\t    6 systems were found to have [REDACTED] accounts with weak passwords.\n\nWe recommend that the Mint:\n\n\xe2\x80\xa2\t    Require accounts with preconfigured, pre-set, widely known passwords to be modified to adhere with\n      National Institute of Standards and Technology (NIST) guidance.\n\xe2\x80\xa2\t    Enforce procedures for conducting periodic password audits in order to ensure users are complying with\n      Federal guidance.\n\xe2\x80\xa2\t    Perform vulnerability assessments and penetration tests on all offices of the Mint, from a centrally\n      managed location with a standardized reporting mechanism, on a regularly scheduled basis in accordance\n      with NIST guidance.\n\xe2\x80\xa2\t    Provide training sessions to ensure that system and network users and administrators are aware of the risks\n      with establishing new devices. Such training should include guidance on using strong passwords and\n      ensuring security testing of all devices before they enter production.\n\xe2\x80\xa2\t    Ensure that as new systems are added and older systems decommissioned, an active inventory is\n      maintained so that no hosts are overlooked during vulnerability scans. This will also contribute to the\n      development of scan policies based on machine/server class as discussed in the previous recommendation.\nFinancial Reporting\n\nH-1 \t Standard Operating Procedures Should be Implemented for Heritage Assets\n\nDuring fiscal year 2006, we noted that the United States Mint adopted the provisions of Statement of Federal\nFinancial Accounting Standards (SFFAS) No. 29, Heritage Assets and Stewardship Land. The United States\nMint removed museum quality pieces from operating inventory [REDACTED                 ] and created a new\nheritage assets footnote as required by SFFAS No. 29. However, as noted in fiscal year 2005, the Mint does not\nhave policies and procedures in place to ensure compliance with SFFAS No. 29.\n\nWe recommend that the United States Mint develop standard operating procedures to ensure compliance with\nSFFAS No. 29. These procedures should require the implementation of tracking procedures to ensure that\nheritage coins and other heritage property, plant and equipment items are properly presented. Tracking, at a\nminimum, should include a description of major categories, physical unit information for the end of the reporting\nperiod, physical units added and withdrawn during the year, a description of the methods of acquisition and\nwithdrawal, and condition information.\n\n\n\n\n                                                       13 \n\n\x0c     Appendix B\n\n\n\n\n14\n\x0c                                                                                            Appendix C\n\n                                  THE UNITED STATES MINT\n                          Status of Prior Year Management Letter Comments\n                                 Fiscal Year 2006 Management Letter\n\n\n        Fiscal Year 2005 Management Letter Comment                       Fiscal Year 2006 Status\nInventory Management\n  A-1     Physical Security at Warehouse Should be Improved Repeated: See fiscal year 2006 revised\n          and Closely Monitored                             comment at A-3.\n  A-2     Management Review of QPI/API Results Should be Repeated: See fiscal year 2006 revised\n          Strengthened                                         comment at A-6.\n          Improvements Required over the Physical Verification Closed.\n  A-3\n          of Coils Received from Vendors\n\n  A-4     Quarterly and Annual Physical Inventory Procedures Repeated: See fiscal year 2006 revised\n          Should be Standardized                             comment at A-6.\n  A-5     Sampling Methodology for Physical Inventories Repeated: See fiscal year 2006 revised\n          Should be Strengthened                        comment at A-2.\n  A-6     Standard   Operating     Procedures   Should    be Partially Resolved: See fiscal year 2006\n          Implemented for Heritage Assets                    revised comment at H-1.\n  A-7     Improvements Needed to Monitor Slow-moving and Repeated: See fiscal year 2006 revised\n          Obsolete Inventory                             comment at A-4.\nAsset Management\n  B-1    Controls over Asset Retirements Should be           Repeated: See fiscal year 2006 revised\n         Strengthened                                        comment at B-1.\n         Controls over Monthly Property, Plant and Equipment Closed.\n  B-2\n         Reconciliations Should be Strengthened\nRevenue Generation and Collection\n  C-1     Improper Revenue Recognition for Consignment         Repeated: See fiscal year 2006 revised\n          Sales                                                comment at C-3.\n          Controls over Signatures on Bullion Release          Closed.\n  C-2\n          Authorization Memos Should be Strengthened\n  C-3     Controls over Monthly Revenue Reconciliations        Closed.\n          Should be Strengthened\n  C-4     Controls over Monitoring the MOA with USPS Repeated: See fiscal year 2006 revised\n          Should be Strengthened                     comment at C-1.\n  C-5     Standard Operating Procedures Should be Established Partially Resolved: See fiscal year 2006\n          for Sales made to FRB                               revised comment at C-2.\nHuman Resource Management\n  D-1     Control over Time and Attendance Reports Should be Closed.\n          Improved\n\n\n                                                 15 \n\n\x0c                                                                                            Appendix C\n\n                                  THE UNITED STATES MINT\n                          Status of Prior Year Management Letter Comments\n                                Fiscal Year 2006 Management Letter\n\n\n        Fiscal Year 2005 Management Letter Comment                       Fiscal Year 2006 Status\n\n  D-2     Management Review of the HR Connect Mismatch Closed.\n          Reports Should be Strengthened\nProcurement\n  E-1     Control over Disbursements Should be Strengthened    Repeated: See fiscal year 2006 revised\n                                                               comment at E-1.\n  E-2     Controls over   Approving    Invoices   Should   be Closed.\n          Strengthened\n  E-3     Controls over Updating Vendor and Customer Contact Closed.\n          Information Should be Strengthened\nManufacturing\n  F-1     Policies over the Timing for Updating Inventory Closed.\n          Standard Costs Should be Reviewed\n  F-2     Management Review of Variances          Should   be Repeated: See fiscal year 2006 revised\n          Formalized and Strengthened                         comment at F-1.\nBudgetary Resources\n  G-1     Controls over Budgetary Resources Should be Closed.\n          Strengthened\nInformation Technology\n  H-1     Improvements Needed Related to Access Control Closed.\n          Policies and Procedures\n  H-2     Improvements Needed Related to Security Plan Closed.\n          Policies and Procedures\n  H-3     Improvements Needed Related to Service Continuity Closed.\n          Policies and Procedures\n  H-4     Improvements Needed Related to Patch Management Closed.\n           [REDACTED        ]\n  H-5     Improvements Needed Related to Password Policy       Partially Resolved: See fiscal year 2006\n                                                               revised comment at G-5.\nFinancial Reporting\n  J-1     Management Approval for Use of Facsimile Signature   Closed.\n\n\n\n\n                                                  16 \n\n\x0c'